Full Report
A European embassy located in the Indian capital of New Delhi, as well as multiple organizations in Sri Lanka, Pakistan, and Bangladesh, have emerged as the target of a new campaign orchestrated by a threat actor known as SideWinder in September 2025. The activity "reveals a notable evolution in SideWinder's TTPs, particularly the adoption of a novel PDF and ClickOnce-based infection chain, in
Analysis Summary
# Threat Actor: SideWinder
## Attribution & Identity
* **Actor Identification:** SideWinder
* **Aliases/Known Associations:** None explicitly mentioned in this specific summary detailing recent activity, other than its known association with cyber espionage.
## Activity Summary
SideWinder orchestrated a new cyber espionage campaign observed in September 2025, following multi-wave spear-phishing campaigns conducted from March through September 2025. This activity reveals a "notable evolution" in their Tactics, Techniques, and Procedures (TTPs), specifically the adoption of a novel PDF and ClickOnce-based infection chain alongside previously documented Microsoft Word exploits. The campaign aimed to gather sensitive information from compromised systems using the ModuleInstaller and StealerBot malware families.
## Tactics, Techniques & Procedures
- **Initial Access:** Spear-phishing via emails containing lures (e.g., "Inter-ministerial meeting Credentials.pdf," "India-Pakistan Conflict -Strategic and Tactical Analysis of the May 2025.docx").
- **Infection Chain Evolution:** Adoption of a novel PDF and ClickOnce-based infection chain, evolving beyond previous reliance solely on Microsoft Word exploits.
- **Initial Lure Documents:** Used PDF files demanding the victim install the latest Adobe Reader to view content, or Word documents containing exploits.
- **ClickOnce Exploitation:** Triggered the download and installation of a malicious ClickOnce application ("ReaderConfiguration.exe" from MagTek Inc., signed with a valid signature) from a remote server (**mofa-gov-bd[.]filenest[.]live**).
- **DLL Sideloading:** The ClickOnce application sideloads a malicious DLL named **DEVOBJ.dll**.
- **Decoy:** Simultaneously launches a decoy PDF document to keep the victim occupied.
- **Payload Delivery:** The rogue DLL decrypts and launches a .NET loader called **ModuleInstaller**.
- **Network Evasion:** Command-and-control (C2) server requests are region-locked to South Asia; payload download paths are dynamically generated.
- **Post-Compromise:** ModuleInstaller profiles the system and delivers the **StealerBot** implant.
## Targeting
- **Sectors:** Diplomatic entities and government organizations (implied by targets).
- **Geography:** South Asia.
- **Targets mentioned:** A European embassy in New Delhi (India), and multiple organizations in Sri Lanka, Pakistan, and Bangladesh.
- **Victims:** A European embassy in New Delhi, organizations in Sri Lanka, Pakistan, and Bangladesh.
## Tools & Infrastructure
- **Malware Families Used:**
* **ModuleInstaller:** A .NET loader used as a downloader for next-stage payloads.
* **StealerBot:** A .NET implant capable of launching a reverse shell, dropping additional malware, and exfiltrating data (screenshots, keystrokes, passwords, files).
- **Infrastructure:**
* **Impersonated Domain:** **mod.gov.bd.pk-mail[.]org** (used for sending phishing emails, mimicking the Ministry of Defense of Pakistan).
* **Download Server:** **mofa-gov-bd[.]filenest[.]live** (used for hosting the ClickOnce application).
## Implications
SideWinder demonstrates a persistent and sophisticated approach to cyber espionage, showing adaptability by evolving its initial infection vectors (adopting ClickOnce alongside traditional methods). The use of legitimate, signed executables for sideloading and region-locked C2 traffic indicates a high level of operational security tailored to evade detection by security defenses in the target region. Their focus remains on gathering intelligence from high-value diplomatic and governmental targets.
## Mitigations
- Implement robust email filtering to block spear-phishing attempts originating from suspicious domains, even those mimicking official government addresses.
- Harden systems against the execution of unknown or untrusted ClickOnce applications, particularly those sideloading DLLs.
- Monitor for unusual activity related to the execution of legitimate applications (like MagTek binaries) launching unexpected network connections or sideloading unknown DLLs (**DEVOBJ.dll**).
- Network monitoring should specifically look for C2 communications directed to South Asia that utilize dynamic path generation.
- Maintain up-to-date security solutions capable of detecting Loader/Downloader activity (ModuleInstaller) and sophisticated .NET implants (StealerBot).